Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add an identd key to WEBIRC options #513

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add an identd key to WEBIRC options #513

wants to merge 1 commit into from

Conversation

jesopo
Copy link

@jesopo jesopo commented Jan 24, 2023
edited

the motivation behind this is the IRCd can't do this lookup itself; an ident lookup must come from the IP to which the end user is connecting, which means the gateway has to be the one to do it.

libera.chat relies on ident responses to be able to confidently ban individual users on shared hosts; otherwise we'd have to ban ~ident, which will only hold until a user changes what they send in USER

jesopo
jesopo commented Jan 24, 2023
View reviewed changes
extensions/webirc.md
@@ -47,6 +47,7 @@ These options are defined and may be sent by clients while connecting:
- `local-port=<port>`: This flag indicates the port the gateway accepted the client connection on (e.g. `6697`, `6667`).
- `certfp-<algo>=<fingerprint>`: This flag indicates the TLS client certificate fingerprint supplied to the WebIRC gateway by the user's actual client application.
- `spkifp-<algo>=<fingerprint>`: This flag indicates the public key fingerprint for the TLS client certificate supplied to the WebIRC gateway by the user's actual client application.
- `identd=<identd-response>`: This flag indicates the gateway has done an [ident lookup](https://en.wikipedia.org/wiki/Ident_protocol) and received a response, which it is passing on to the IRCd.
Copy link
Author

@jesopo jesopo Jan 24, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

identd here was chosen because it feels like ident alone might be confused for the first USER parameter, but i'm willing to bikeshed this bit

@slingamn
Copy link
Contributor

I disapprove of ident, but this change seems fine.

@SadieCat
Copy link
Contributor

SadieCat commented Jan 24, 2023
edited

I don't think this is necessary (in 2023 gateways should be giving users their own IPv6 and not using insecure protocols like ident) and we will be ignoring it (most of our users don't even have ident support enabled and we discourage its use) but I don't really have any objection with the key existing as long as its not mandatory to do anything with it.

@jesopo
Copy link
Author

jesopo commented Jan 24, 2023

I disapprove of ident, but this change seems fine.

i tend to agree that it's a poor solution for what it's used for, but i also recognise that there isn't a workable alternative right this second. i hope one-ipv6-per-user becomes more ubiquitous, but as it stands this small spec tweak will help plumb two existing things together

@SadieCat
Copy link
Contributor

Bikeshed: an alternative to this would be some kind of unique identifier field which may or may not correlate to an identd response depending on implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jesopo @slingamn @SadieCat